linux幽灵漏洞检测和修复方法

时间:2016-06-05 02:23 来源:linux.it.net.cn 作者:IT

没想到最近linux的漏洞越来越多了,上一次的bash漏洞没过去多久,又爆出了新的漏洞,名为"幽灵漏洞(GHOST)".当我一看到有新的漏洞时,马上为我所管的服务器都打上了最新补丁,glibc的漏洞估计存在了很久了,大部分的编译都依赖于他,所以造成影响很大.好了,废话不多说,先来说说怎么检测服务器是否存在漏洞吧.

1.检测漏洞方法一:

vi ghost_check.sh

01	#!/bin/bash

02	vercomp () {

03	if [[ $1 == $2 ]]

then

return 0

07	local IFS=.

08	local i ver1=($1) ver2=($2)

09	# fill empty fields in ver1 with zeros

10	for ((i=${#ver1[@]}; i<${#ver2[@]}; i++))

ver1[i]=0

done

14	for ((i=0; i<${#ver1[@]}; i++))

16	if [[ -z ${ver2[i]} ]]

then

18	# fill empty fields in ver2 with zeros

ver2[i]=0

21	if ((10#${ver1[i]} > 10#${ver2[i]}))

then

return 1

25	if ((10#${ver1[i]} < 10#${ver2[i]}))

then

return 2

done

return 0

}

33	glibc_vulnerable_version=2.17

34	glibc_vulnerable_revision=54

35	glibc_vulnerable_version2=2.5

36	glibc_vulnerable_revision2=122

37	glibc_vulnerable_version3=2.12

38	glibc_vulnerable_revision3=148

39	echo "Vulnerable glibc version <=" $glibc_vulnerable_version"-"$glibc_vulnerable_revision

40	echo "Vulnerable glibc version <=" $glibc_vulnerable_version2"-"$glibc_vulnerable_revision2

41	echo "Vulnerable glibc version <="$glibc_vulnerable_version3"-1."$glibc_vulnerable_revision3

43	glibc_version=$(rpm -q glibc \| awk -F"[-.]" '{print $2"."$3}' \| sort -u)

44	if [[ $glibc_version == $glibc_vulnerable_version3 ]]

then

46	glibc_revision=$(rpm -q glibc \| awk -F"[-.]" '{print $5}' \| sort -u)

else

48	glibc_revision=$(rpm -q glibc \| awk -F"[-.]" '{print $4}' \| sort -u)

50	echo "Detected glibc version" $glibc_version" revision "$glibc_revision

52	vulnerable_text=$"This system is vulnerable to CVE-2015-0235. <https://access.redhat.com/security/cve/CVE-2015-0235>

53	Update the glibc and ncsd packages on your system using the packages released with the following:

54	yum install glibc"

56	if [[ $glibc_version == $glibc_vulnerable_version ]]

then

58	vercomp $glibc_vulnerable_revision $glibc_revision

59	elif [[ $glibc_version == $glibc_vulnerable_version2 ]]

then

61	vercomp $glibc_vulnerable_revision2 $glibc_revision

62	elif [[ $glibc_version == $glibc_vulnerable_version3 ]]

then

64	vercomp $glibc_vulnerable_revision3 $glibc_revision

else

66	vercomp $glibc_vulnerable_version $glibc_version

69	case $? in

70	0) echo "$vulnerable_text";;

71	1) echo "$vulnerable_text";;

72	2) echo "Not Vulnerable.";;

esac

检测命令:
./ghost_check.sh
检测结果如下图:
点击查看原图

可以看到这台服务器是存在漏洞的.

2.检测漏洞方法二:

1	/usr/sbin/clockdiff `python -c "print '0' * $((0x10000-161-24-1-4))"`

第2个检测方法在我的机器上报错,所以我用了其他人的图,如下:
点击查看原图

3.检测漏洞方法三:
vi ghost.c

01	#include <netdb.h>

02	#include <stdio.h>

03	#include <stdlib.h>

04	#include <string.h>

05	#include <errno.h>

07	#define CANARY "in_the_coal_mine"

struct {

10	char buffer[1024];

11	char canary[sizeof(CANARY)];

12	} temp = { "buffer", CANARY };

14	int main(void) {

15	struct hostent resbuf;

16	struct hostent *result;

17	int herrno;

18	int retval;

20	/*** strlen (name) = size_needed - sizeof (host_addr) - sizeof (h_addr_ptrs) - 1; ***/

21	size_t len = sizeof(temp.buffer) - 16sizeof(unsigned char) - 2sizeof(char *) - 1;

22	char name[sizeof(temp.buffer)];

23	memset(name, '0', len);

24	name[len] = '\0';

26	retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);

28	if (strcmp(temp.canary, CANARY) != 0) {

29	puts("vulnerable");

30	exit(EXIT_SUCCESS);

}

32	if (retval == ERANGE) {

33	puts("not vulnerable");

34	exit(EXIT_SUCCESS);

}

36	puts("should not happen");

37	exit(EXIT_FAILURE);

}

检测命令:
gcc ghost.c -o ghost && ./ghost
检测结果如下图:
点击查看原图

可以看到也是检测出了漏洞.好了,下面来说怎么修复漏洞吧.

4.修复方法:
RedHat、Fedora、CentOS系统:
yum update glibc glibc-devel glibc-common glibc-headers -y

Debian、Ubuntu系统:
apt-get clean && apt-get update && apt-get upgrade
或
apt-get clean && apt-get update && apt-get -y install libc6

ps:
升级后,建议重启用到glibc的进程或者重启服务器.

(责任编辑：IT)